The Legal Industry Hacked: Why Ephemeral Messaging is Critical

In late March of 2016, the Wall Street Journal reported that hackers had broken into the computer networks at some of the country’s most prestigious law firms, including Cravath, Swaine & Moore and Weil Gotshal & Manges LLP.

In early April of 2016, the American Lawyer wrote, “The international legal community had its Edward Snowden moment on Sunday, when newspapers around the world published excerpts from an unprecedented document leak tied to the Panamanian law firm Mossack Fonseca.”

These aren’t, of course, the first times that major institutions have been hacked. In October of 2012, hackers published online “thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins … and other universities around the world.”

The damage from these hacks has been enormous, including significant damage to the clients of the hacked law firms. While some of Mossack Fonseca’s clients may have been engaging in suspect activities, it looks like many of the “outed” clients were engaged in legitimate business transactions. Why should these clients have had their business dealings – and business strategies – exposed to the public?

I have wondered for a long time why more law firms don’t use ephemeral messaging systems. These systems are defined as systems that mimic standard email and SMS text (for the mobile lawyer), except that ephemeral messages generally can’t be forwarded, copied or saved. And once the intended recipient reads an ephemeral message and closes it, it is gone forever and leaves no trace – so it can’t be hacked.

Law firms have traditionally believed that they don’t need ephemeral messaging because they have the benefit of the attorney/client privilege. Lawyers assert that this privilege protects communications between lawyers and their clients from public disclosure. That argument isn’t very persuasive after the Cravath, Weil and Mossack Fonseca hacks.

Law firms have also argued that ephemeral messaging doesn’t work for them because they need to keep a record of the legal advice they give. Well, okay, but some of the best ephemeral messaging systems permit users to retain a copy of their ephemeral messages in a system of record.

But if you keep a copy, then what’s the difference between that and regular email? Can’t the copy of the “ephemeral message” be hacked?

That’s a good question, but a law firm using a top notch ephemeral messaging system would keep just one copy of its ephemeral messages, and that one copy would be kept in an especially secure environment. And only a couple of people would have access to that secure environment. One of the biggest vulnerabilities that a law firm, or any other institution has is the sheer number of people with access to the email system. Each of a law firm’s employees are vulnerable to phishing attacks. And a disgruntled employee can either hack the employer’s computer system or allow hackers to gain access through one simple click.

General Counsel at large and small companies now have cyber security as a top priority. All institutions have an obligation to their stake holders to do what they can to prevent cyber breaches. Companies should require their outside law firms to communicate with them through robust and up-to-date ephemeral messaging systems that meet their security and compliance requirements.

Additionally, law firms should take the lead in advising their clients to use ephemeral messaging to diminish the impact of cyber-attacks – which will happen.

If you would like to find out more about ephemeral messaging, Vaporstream Experts can provide additional information.